Allwyn
0

URL Filtering Based On URIs on Palo Alto Firewalls

We get some requests such as blocking the base domain and to only allow certain pages on websites based on the URIs — that which comes after the “/” e.g.

hostname.com – block
hostname.com/page2 – allow

You need the URL filtering license to be able to do this. 

Initially, I tried it with a single policy which failed, then using two policies you can get the exact filtering. 

I am using Daniel Miessler’s blog for demonstration. We will allow /blog, /popular, and /study and block the base hostname.

danielmiessler.com – block

And these to be allowed with everything being blocked. 

danielmiessler.com/blog 
danielmiessler.com/popular
danielmiessler.com/study

Note: open the images in a new tab for larger sizes

Create a custom object URL category of paths to allow

panos-url-category-paths-allowed

 

Repeat this for the base domain to be blocked

 

panos base domain to block

 

Add them to URL filtering objects and set the proper Actions. 

Note the actions, getting them right is the most important here.

 

panos url filtering allowed paths
this goes in the first security policy, the paths category object is set to allow

 

panos url base domain block
this goes in the second security policy with action deny, the block base domain category object is set to block with paths set to none

 

Create both security policies to allow the paths and to deny the base domain

panos path allowed

panos block base
ignore the blurred part and just use the block domain URL filtering which you created before

 

The final policy order with allow rule before the deny one. 

panos url filtering rule order

 

And that’s all there is to it folks! You can try other variations of this, I’ll update the post if I come across something.